Threat modelling

Threat modelling

As an external consultant that focuses on application penetration testing I’m not usually invited to application design, business logic discussions or threat modelling sessions. A few weeks ago a client invited me to be part in a threat modelling exercise for their latest and greatest feature that is still in design phase.

The client wanted me to explain threat modelling to a group of architects, senior developers and product owners, and then apply the newly learned knowledge to the specific feature they were developing. The following slide deck was used during those meetings:

Tips and tricks

Preparation is king: before going into a threat modelling meeting make sure you completely understand what the product and feature does. Ask the product owner to explain it to you before hand.

Take pictures and notes: threat modelling meetings are fast paced, if you don’t take pictures of all the diagrams and flows that are drawn on the whiteboard those will disappear.

Propose solutions to all issues: don’t schedule another meeting to talk about solutions for the identified vulnerabilities. People will try to fix the issue right after finding it let them do it and make sure to take notes.

Assign an owner to each solution: tasks that don’t have an owner will never be done, assign an owner before finishing the meeting.

Tracking: make sure the application security team knows about all the solutions that need to be implemented and the corresponding owners. They are in charge of making sure all of those solutions were properly implemented.

Documentation

Hate writing application penetration test reports? Threat modelling documentation is ten times worse, for each hour of face-to-face meeting with the team you’ll have to spend at least five hours to properly document all attacks, solutions and owners.

This is not a bad thing, it is just how threat modelling works!

Overall experience

The meetings went really well: the team was able to come up with some amazing attacks and propose solutions to all of them.

During these meetings, and from the point of view of an external consultant that usually sees applications that have more holes than gruyere cheese, I got the feeling that this application was going to be secure and that real effort was put in doing things the right way from the beginning.

If you’re not doing threat modelling, give it a try! You might like it!